feat(vault): switch to Kubernetes service registration (#171)
Replaces Consul service registration with the native Kubernetes provider so Vault labels its own pods with active/standby/perf-standby status without requiring a Consul dependency.
## Changes
- `values.yaml`: swap `service_registration "consul"` for `service_registration "kubernetes" {}`, add `VAULT_K8S_NAMESPACE` and `VAULT_K8S_POD_NAME` env vars via downward API
- `role_k8s-service-registration.yaml`: Role + RoleBinding granting the `vault` service account `get`/`update`/`patch` on pods
- `kustomization.yaml`: include new RBAC file
Reviewed-on: #171
This commit was merged in pull request #171.
This commit is contained in:
@@ -6,3 +6,4 @@ resources:
|
|||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- gateway.yaml
|
- gateway.yaml
|
||||||
- httproute.yaml
|
- httproute.yaml
|
||||||
|
- role_k8s-service-registration.yaml
|
||||||
|
|||||||
@@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: vault-k8s-service-registration
|
||||||
|
namespace: vault
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods"]
|
||||||
|
verbs: ["get", "update", "patch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: vault-k8s-service-registration
|
||||||
|
namespace: vault
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: vault-k8s-service-registration
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: vault
|
||||||
|
namespace: vault
|
||||||
@@ -40,9 +40,7 @@ server:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
service_registration "consul" {
|
service_registration "kubernetes" {}
|
||||||
address = "consul-server.consul.svc.cluster.local:8500"
|
|
||||||
}
|
|
||||||
|
|
||||||
dataStorage:
|
dataStorage:
|
||||||
enabled: true
|
enabled: true
|
||||||
@@ -50,6 +48,14 @@ server:
|
|||||||
storageClass: cephrbd-fast-delete
|
storageClass: cephrbd-fast-delete
|
||||||
accessMode: ReadWriteOnce
|
accessMode: ReadWriteOnce
|
||||||
|
|
||||||
|
extraEnv:
|
||||||
|
- name: VAULT_K8S_NAMESPACE
|
||||||
|
value: vault
|
||||||
|
- name: VAULT_K8S_POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
|
||||||
statefulSet:
|
statefulSet:
|
||||||
securityContext:
|
securityContext:
|
||||||
container:
|
container:
|
||||||
|
|||||||
Reference in New Issue
Block a user